A new service for the less techie criminals

Crimeware-as-a-Service is becoming the newest fad in the dark web.


Sketchy characters

You’ve heard of big business owners like Jeff Bezos, Larry Page and Warren Buffet. However, did you know there’s a long list of business owners, all of who have access to millions of dollars at their fingertips, that you’ll never hear about. These people are the owners of crimeware-as-a-service (CaaS) businesses. For underground cybercriminals, CaaS provides a new dimension to cybercrime by making it more organized, automated and accessible to criminals with limited technical skills. Today, cybercriminals can develop, advertise and sell anything from a botnet to a browser exploit pack or DDoS attack toolkits. Aditya K Sood, director of security and cloud threat labs at Blue Coat Systems, a part of Symantec, details how cybercriminals can obtain sensitive data, like credit card numbers, names and addresses, with just a couple of clicks and a payment.


The CaaS marketplace

The CaaS marketplace isn’t defined by a few small malicious actors, it’s a complex and varied web of organizations, all buried within the Internet. These organizations purposefully lie outside of search indexes and common users access points, rendering them invisible to a common web user. Growing by 250% in 2016, as reported by APWG, phishing is just one example of how crimeware is reaching an unprecedented size in 2016.


A mature market

Ten years ago, CaaS was still in the early stages. As evidenced in A Brief History of Hacking, malicious actors had the tools and technology that they needed to wreak some serious havoc, but their focus was more on power than profit. At the time, major hacks were all about proving that hackers could get inside systems and exploit various vulnerabilities. Then, as hackers began to think more about money instead of might, things changed. While large-scale DDoS attacks, like the attack against journalist Brian Krebs' website, you’re more likely to see things like browser exploit packs, malware and spyware for sale, as they are the most profitable. It would take pages to chronicle every type of crimeware for sale, but in 2016 the following are some of the best sellers…


For sale, botnets

A botnet is a network of computers that are infected with malicious software which allows cybercriminals to control computers without the users’ knowledge. Underground entrepreneurs sell access to these already-infected computers that they control, often in bulk, for prices ranging from $100 per month (to rent the infrastructure) to $7,000 to purchase a full system.


For sale, browser exploit pack

Along with a botnet framework, BEPs are what allow buyers to share things like ransomware or spyware at a large scale. Like any sophisticated piece of malware, BEPs have built-in modules for obfuscation, blacklisting, administration, and traffic optimization. For a full BEP package, sellers can ask for around $3,000 to $7,000.

05 phishing

For sale, customized phishing toolkits with weaponized exploits

For hackers that want to target a specific group, or just unsuspecting users, they can pay for a malicious actor to set up a Simple Mail Transfer Protocol (SMTP) server, scam webpage or provide high quality mailing lists. Each of these things can cost anywhere from $15 to $40. Another popular offering that pairs well with a phishing attack toolkit is “weaponized documents”, these malicious files look like a regular Microsoft Office documents such as Word, XLS, PPT, etc. that exploit inherent vulnerabilities in MS Office package to download malware on the end-user’s systems. The downloaded malware can be ransomware, remote access toolkit (RAT), etc. depending on the choice and requirement of the crimeware seller. Today, Office exploits (PPT, WORD, XLS), known CVE or Nth Day (not 0days) can cost around $2,000 to $5,000.

06 ransom

For sale, ransomware

A popular way for hackers to make money, ransomware software will hold a target computer hostage until they pay. This software can be developed to varying degrees of complexity and as a result can run a range costs. For example, the price of a customizable Crypto Locker executable file is around $50 according to research done by TrendMicro, on top of that, ransomware operators tend to take a 10% cut of the profits made from targets.

RELATED: Ransomware: at your service


It costs how much?

Prices and offerings can clearly range, especially when customized and/or targeted services are offered. For example, if a disgruntled employee wanted to target a specific organization or group of users, he could purchase a DDoS attack or browser exploit pack that a seller would then help them execute. This would come at an extra cost, and on top of an estimated $4,000 to $7,000 for a BEP, it’s easy to imagine how these businesses can make a decent profit with only a few transactions.


Money, money, money

It’s hard to know exactly how much profit this underground system of businesses is netting, but by looking at the underground e-currency market, it’s clear this market is trending towards millions, even billions of dollars. All underground businesses use e-currency (digital cash) as a medium of exchange because it is international, anonymous, irreversible, unregulated, convenient, and helps with money laundering. E-currencies are international because they are stored in virtual banks around the world and can be converted into several national currencies.

REUTERS/Mike Segar

Underground banks

Our knowledge of these banks comes from the few organizations that have been discovered and shut down. For example, the Liberty Reserve was shutdown in 2013. The website LibertyReserve.com was seized by the U.S. government and labeled as a “a financial hub of the cyber-crime world.” From 2006 until it was shut down in 2013, Liberty Reserve alone did $6 billion worth of transactions.

10 fbi

What is the FBI doing?

Another source of information on profits is the FBI. The FBI has been integral in shutting down cybercriminal organizations and in leaving detailed reports on operations, like Operation Clean Slate. Due to their efforts, we’ve been able to learn more about how much money these organizations have earned. For example, Zeus which is a notorious malware that captured passwords, account numbers, and other information necessary to log into online banking accounts. Zeus is thought to allow owners to steal millions of dollars from account-holding victims’ bank accounts.


Why is CaaS growing?

Alongside the growth of malware and other crimeware, CaaS has flourished. Aside from the technology factors that are helping all malicious cyber activity grow, simple market economics are supporting the industry. Supply and demand plays a significant role in sketching the crimeware prices. The cost of different crimeware services has recently been increased because several crimeware services were taken down during anti-cybercrime operations, impacting the supply of those services. If one BEP provider goes down, the supplier of other BEP raises the cost and increases profits. The rise in price encourages other vendors to get in on the market as they see the clear financial reward, often outweighing the risk.


Evading the law

Though the FBI is making headway in taking down underground market place forums such as Darkcode, cyber criminals have also become much more proactive in conducting transactions for crimeware services. IRC and Jabber channels are becoming a more popular means of communications opposed to web forums, this makes tracking buyers and sellers more difficult. Additionally, targeted advertising, dedicated to restricted forums, helps to perpetuate CaaS in underground groups and helps buyers and sellers hide from law enforcement.


Security solutions

To start, the security solutions or mechanisms that are being designed today should stay in-par with the new attack methods used by the cyber criminals in crimeware services. Robust detection and prevention solutions are required to detect output of crimeware services such as infections, abuse of services, data exfiltration and others in a robust manner so that unauthorized operations can be subverted upfront without resulting in significant business losses.

At the end of the day the CaaS marketplace is innovative, but so are we. Our best hope is to continue to shine a light into the dark web and let it be known that CaaS is out there.

RELATED: Darkweb marketplaces can get you more than just spam and phish

Copyright © 2017 IDG Communications, Inc.

Related Slideshows